PureBoot 29 Release Candidate

jonathon.hall · January 22, 2024, 8:27pm

I’ve just posted the first release candidate for PureBoot 29, including a number of features and fixes:

* Rebased on Heads upstream master branch (c9e067c7)
  * exFAT is now supported for USB media (fixes mounting some USB flash drives)
  * Debug output can now be enabled in the configuration menu
  * Future firmware updates can be checked for integrity automatically when flashing
  * When performing OEM/factory reset with custom configuration, the GPG private key can be backed up to an encrypted flash drive partition
* Update coreboot to 4.22-Purism-1
  * Librem Mini v1/v2: Fixed a remaining source of S3 resume failures
* PureBoot now has a bootsplash (built into the ROM)
* Automatic boot timeout can be set from the configuration menu (disabled, or 1/5/10 seconds)
* Sealing HOTP presents a message if /boot can't be mounted instead of dropping to the recovery shell
* Flashing a ROM shows a message if the USB drive or ROM is unreadable
* USB keyboard support can be enabled on laptops in the configuration menu
* Root file hashing now supports Qubes default partition layout (LUKS and LVM, using root volume)

I have run essential tests on all devices to ensure you’ll be able to flash back to the prior release and boot from USB in case of a problem. I haven’t run any other tests yet, so please only run this on systems where some breakage is acceptable until more testing is done.

EDIT: Librem Mini v1/v2 have problems with SATA (always) and NVMe (resuming from suspend) in RC1, please wait until RC2 for these devices. If you already flashed RC1, flash back to the current release, shut down, unplug power, then plug in again. (Unplug is needed as this problem persists through S5 soft-off.)

You can get the release candidate firmware using coreboot_util.sh from the branch for this release:

mkdir ~/updates
cd ~/updates
wget https://source.puri.sm/firmware/utility/-/raw/PureBoot-Release-29/coreboot_util.sh
sudo bash coreboot_util.sh

Revert to the current release by using the usual update instructions.

It’ll take some time to test and release coreboot/SeaBIOS 4.22.01-Purism-1, and then to run all tests on PureBoot 29, so this will be in release candidate status for a while. I’ve already noted some benign exFAT messages that need to be silenced when mounting non-exFAT media.

If you try it, please post or send in your feedback!

TiX0 · January 23, 2024, 1:03am

I don’t really want to try this on my Qubes machine yet, since anyway I won’t use it until it goes stable; but as you mentioned testing on all Purism devices, I would very much like to know how much time it takes on a L15/v4 (Kabylake) to complete the rootfs check?
This would be an important consideration for me, since I never leave this laptop in S3 when unattended - rebooting it every time I return. So, the time it takes to use this feature would be crucial for adopting it or not.
But for sure having this feature now available for Qubes is an important security enhancement!
Thank you for putting time and efforts on this!

Honza · January 23, 2024, 10:09am

Is anyone working on PureBoot aware of this thing?

fsflover · January 23, 2024, 11:19am

This is probably a problem with EC firmware, not Pureboot.

FranklyFlawless · January 23, 2024, 11:36am

Great, I get a very warm feeling seeing “Librem 14” written in the center of the screen on startup, as it proves continued firmware support of the device years after its release.

jonathon.hall · January 23, 2024, 2:05pm

I do have a thought on that @Honza but @fsflover is right, that’s in Librem-EC, I’d planned to work on a new Librem EC release soon after PureBoot is done. I’ll follow up in the linked thread.

jonathon.hall · January 23, 2024, 2:07pm

@TiX0 I can test on 15v4 and get a number, I need to test it in the release tests anyway. What type of SSD is your root volume on? (SATA or NVMe. If you know whether it’s 2.5" or M.2 and what model I will pick something similar in the test.)

TiX0 · January 25, 2024, 12:35am

@jonathon.hall Thank you very much for proposing to do this test!
Device is Samsung SSD 970 PRO 512GB, M.2 NVMe (originally ordered from Purism SPC along with the laptop)
Qubes 4.2

jonathon.hall · February 5, 2024, 7:52pm

@TiX0 I ran this test today - added 45 seconds to boot time. Librem 15v4, Samsung 970 EVO Plus 1TB. Fresh Qubes install. It may vary a bit, but you can expect it to be somewhere around there.

I’ll have a new RC soon when I’ve finished the initial tests on all devices.

TiX0 · February 6, 2024, 3:47am

Thank you for your testing.
Yeah, 45 more seconds is a lot - more than double my current boot time.
Maybe I will wait for the new upcoming Librem before using this feature. Hopefully it will be 12th or 13th gen CPUs - that could do it.

jonathon.hall · February 6, 2024, 4:08pm

RC3 is up, instructions from the OP refer to the release branch so they will get RC3 now.

Fixed the issue on Librem Mini v1/v2 causing SATA problems due to the original fix for suspend
Silenced the spurious exFAT errors appearing on the console (upstream PR: init: Silence exFAT errors when mounting iso9660; reorder exfat last by JonathonHall-Purism · Pull Request #1602 · linuxboot/heads · GitHub)
Fixed a regression from coreboot 4.19 causing laptop brightness changes to take longer than normal (upstream review: https://review.coreboot.org/c/coreboot/+/80260)

FranklyFlawless · February 9, 2024, 7:36am

I found a bug regarding PureBoot 29 RC: reflashing back to Coreboot + SeaBIOS no longer shows the Purism logo splashscreen, and instead displays the board name (Librem 14 in my case) from the PureBoot 29 RC.

jonathon.hall · February 9, 2024, 1:32pm

That’s an intentional change @FranklyFlawless - coreboot/SeaBIOS 4.22.01-Purism-1 has the new bootsplashes as well. That was tested and released Wednesday and it’s in the changelog: changelog.md · master · firmware / releases · GitLab

Thanks for testing!